issuing certificates with OpenSSL
Reference: HTTP://WWW.IMACAT.IDV.TW/TECH/SSLCERTS.HTML.ZH-CN
Configuring the Environment
To establish an SSL directory under the/home directory:
Cd/home
mkdir SSL
CD SSL
Create a few directories to use:
mkdir private certs newscerts CRL
Where private is mainly used to store the private key.
Certs used to deposit a checked out book
Copy configuration files to the current directory
cp/usr/share/ssl/openssl.cnf/home/ssl/
Setting environment variables
export openssl_conf= "/HOME/SSL/OPENSSL.CNF"
To change the configuration in OPENSSL.CNF:
DIR =/home/ssl
Generate a random number file:
OpenSSL Rand-out/home/ssl/private/.rand
To establish a root certificate:
1. Make private key:
OpenSSL genrsa-des3-out private/ca.key.pem 2048
This is the order:
OpenSSL refers to entering the OpenSSL environment, Genrsa is a small application in OpenSSL to generate the RSA private key. -des3 refers to the encryption of the resulting private key with Triple DES. This is an option, and-des-idea are all symmetric encryption algorithms that you can choose from. -out is to specify the output, if you do not add this option, will be the loss to the standard output. 2048 refers to the length of the private key, the single bit, the default is the
Enter this command, create the private key, prompting you to set the password.
2. Fill in the Certificate application form:
OpenSSL req-new-key private/ca.key.pem-out ca.req.pem
Prompts you the password of the private key, step by step to enter the line.
because the certificate has to have a public key, and personal information, so we specify the private key, the program derives the public key for the application form.
3. Sign your own signature:
opessl x509-req-days 1000-shda1-extensions v3_ca-signkey private/ca.key.pem-in Ca.req.pem -out Certs/ca.crt.pem
The days in which the certificate is valid, SHDA1 is the message digest function algorithm, which defaults to the private key for the Md5,-signkey specified for the visa.
During the run, enter the password for the private key and the password for the settings.
this way, the root certificate is signed. You can now delete the certificate request form:
rm-rf ra.req.cem
4. To create a hash index:
OpenSSL x509-hash-noout-in Ca.crt.pem
This step does not know what it means. make server-side certificates with CA signatures:
1, the creation of a RSA private key, here, we do not password protection.
OpenSSL genrsa-out Private/serverkey.pem 1024
2, fill in the Certificate application form:
OpenSSL Req-new-key private/serverkey.pem-out Server.req.pem
3. Sign the application form with the private key of the previously generated certification center:
OpenSSL x509-req-days 100-sha1-extensions v3_req-ca certs/ca.crt.pem-cakey private/ca.key.pem-caserial Eateserial-in Server.req.pem-out Certs/server.crt.pem
The CA option in the base specifies the certificate of the Certification center, that is, the certificate that we self-signed, Cakey is the private key of the certification center, Caserial may refer to the serial number issued.
Well, this certificate is signed. Delete Application form:
RM-RF Server.req.pem
If we want to turn the certificate into P12 format:
OpenSSL pkcs12-export-clcerts-in certs/server.crt.pem-inkey private/serverkey.pem-out certs/server.p12
Tags: linux OpenSSL X509